[00:00.990 --> 00:09.730]  Okay, welcome to our talk on Keypress Hack by Farid Perez, Mauro Eldridge and Luis Ramirez from DC5411.
[00:11.150 --> 00:16.610]  Before we start, I would like to make a brief introduction to both our talk and the speakers.
[00:17.930 --> 00:24.030]  My name is Mauro Eldridge, I'm an Argentine hacker and I work as a cybersecurity architect.
[00:24.030 --> 00:38.350]  I'm the founder of DC5411 Argentina and I was a speaker for DEFCON, DEFCON Siberia, RoadSec Brazil, Dragonjar Colombia, POSCON Iran, Texas Cyber Summit among other conferences.
[00:39.170 --> 00:42.930]  Now my co-speakers are going to introduce themselves.
[00:45.690 --> 00:47.950]  Thank you, Mauro.
[00:47.950 --> 00:56.770]  Hello everyone, my name is Farid Perez, I am a Colombia hacker, system engineer and master in telecommunication.
[00:56.770 --> 01:06.450]  I work as a professor at the University of La Guajira and I am a member of DC5411 group.
[01:06.450 --> 01:13.170]  Also, I've been a speaker at Dragonjar Colombia and now at DEFCON in this village.
[01:14.030 --> 01:15.450]  Thank you, Farid.
[01:15.450 --> 01:19.390]  Hello everyone, my name is Luis Ramirez Mendoza from Colombia.
[01:19.390 --> 01:27.550]  I am an electronic engineer and hacker and a computer security and artificial intelligence teacher at the University of La Guajira.
[01:27.550 --> 01:33.770]  A speaker in Dragonjar Colombia, DEFCON region village number 5411.
[01:36.660 --> 01:44.920]  Well, the objective of this talk is to show the assembly of a bad USB device discreetly mounted inside a keyboard.
[01:44.920 --> 01:52.080]  With the ability to send the victim's keystrokes over the internet, like a remote keylogger.
[01:52.280 --> 01:59.420]  This talk focuses exclusively on the construction of this type of artifact and includes a video demo at the end.
[02:00.380 --> 02:08.180]  This is the tampered keyboard we are using. As you may see, it seems at first glance like a pretty normal classical keyboard.
[02:08.800 --> 02:10.940]  But, well, it isn't.
[02:12.400 --> 02:20.860]  Now, my co-speakers and friends Farid and Luis are going to explain the magic behind this electronic tampering.
[02:20.980 --> 02:22.180]  Thank you.
[02:22.180 --> 02:33.480]  In the first place, we have the keyboard. You can choose any type of keyboard that has a USB connector.
[02:33.480 --> 02:41.760]  In order to not see much of the alteration that we are going to make.
[02:44.000 --> 02:58.580]  The ESP8266 WiFi module will allow us to connect the Arduino to an internet connection.
[02:58.580 --> 03:13.980]  In order to send the keyboard data to a database in MySQL in order to have stored everything captured on the keyboard.
[03:16.230 --> 03:42.750]  To optimize the size, it was decided to use the Arduino Nano so that it can be easily hidden on the keyboard and also in the translation of the keystrokes to be stored in the MySQL database.
[03:43.750 --> 04:08.230]  A standard USB cable with USB mini-vehicle, it replaces the keyboard cable since it must be connected to the Arduino through which all the information must pass in order to apply the key lawyer.
[04:12.280 --> 04:32.900]  To receive this information, we will host a Q-server with phpMySQL and phpMyAdmin in order to receive all the values entered by the keyboard.
[04:32.900 --> 04:58.260]  We will also have the Arduino programming interface where we will enter the code that is necessary to interpret if of the keystroke emitted by a keyboard and it must be sent to store it in the database.
[04:59.820 --> 05:11.460]  In this image, interface Arduino IDE in the PC.
[05:12.240 --> 05:22.980]  And sometimes very important and very fundamental to have a lot of patience.
[05:22.980 --> 05:39.880]  To achieve good results, this never comes out the first time and on many occasions it dashes the opposite of what you expect.
[05:39.880 --> 05:53.900]  And even more so when you organize the circuit and the solder becomes damaged or some sign very unexpected happens.
[05:58.570 --> 06:22.210]  Taking in account the hardware hacking 101, we have the plans that are completing the component used in this project, where if we want to do it ourselves, we must use a normal keyboard or the model most used in your country.
[06:22.210 --> 06:47.490]  The wireless network component for Arduino ESP8266 and Arduino Nano, a standard USB cable, a C2 server, the Arduino programming interface on the PC, and above all and most important, have a lot of patience.
[06:49.340 --> 07:03.900]  In this diagram, it is possible to observe the scheme that our keyboard has because it represents half the represent attach.
[07:03.900 --> 07:24.400]  It is shaped and each of the components detailed previously in order to the respective operations to obtain the information of each key entered by the B team.
[07:24.400 --> 07:52.660]  We have the connection diagram of each of the pins being which the Arduino Nano, the wireless interface for the Arduino, ESP8266, and the keyboard where they indicate exactly where the connection must be made
[07:52.660 --> 08:11.740]  for its proper operation. On the connection card for the B board, there were many drawbacks at the time of welding and first contact in each of the terminal of side connection.
[08:11.740 --> 08:33.640]  In the same way, when it is not holding the membrane and not making contact, it will work regularly because it will not make enough contact for the team to verify each of the pulsations made.
[08:37.500 --> 08:51.830]  You have in the image the representation of each of the components mentioned above for this respective assembly and operation.
[08:53.100 --> 08:59.920]  A image of the aforementioned cards fully operational.
[08:59.920 --> 09:06.460]  Here we are verifying if the keyboard recognizes the computer.
[09:10.860 --> 09:18.780]  In the graphic, we can observe that all modifications did not alter the computer's recognition of the keyboard.
[09:23.560 --> 09:29.360]  Here we are already assembling the keyboard for the pendulum testing.
[09:34.800 --> 09:46.800]  When a key is pressed, it joins the connected thread, rows and the column, which feed the data to the column, this in addition to going to the computer.
[09:46.980 --> 09:57.020]  It also reads the Arduino, it takes read of the continuing, which waits for the signal to send to the Wi-Fi the module.
[10:01.980 --> 10:08.440]  This is how our keyboard would look like on the inside.
[10:14.260 --> 10:20.940]  As we can appreciate, all us and the piece are cheap and easy to gain into device.
[10:20.940 --> 10:27.900]  It doesn't weigh much, and three are no sign that the width can suspend anything.
[10:31.860 --> 10:46.780]  Here is the schematic, the Arduino NTSB connected serial, which means that one transmits and the other receives, when a pulsation is received with the keyboard board.
[10:47.960 --> 10:55.220]  The first thing don't waste determining, which are the rows and the column of the keyboard PCB.
[10:56.280 --> 11:03.300]  When a key is pressed, its word and the clause, that is the row and the column are in contact.
[11:03.520 --> 11:05.520]  The Arduino also waits for click.
[11:06.840 --> 11:13.480]  The coding is with main, the translation to node, which keep transmitting.
[11:13.480 --> 11:26.600]  The ESP also has received pulsation, due to the Arduino not having a node on the connecting and the PCB of keyboard.
[11:27.600 --> 11:37.260]  To simplify the coding with you, the keypad library sits in making the same principle.
[11:37.260 --> 11:43.920]  In GINET to be to which pin are rows and which are column.
[11:47.730 --> 11:57.750]  Here we can see a part of the ESP configuration, ready and waiting for pulsation to send them to be the database.
[12:00.970 --> 12:14.790]  Here is demonstrated, how the Arduino interprets every pulsation and turns in its respective character to be stored in the variable, which will end in the database.
[12:17.830 --> 12:21.530]  Post request to C2U server.
[12:25.730 --> 12:32.890]  In the graphic, we observe the code that sends the information to the database.
[12:34.550 --> 12:44.950]  Now that you know how to build this bad USB keyboard, let's take a look into how to use it to exfiltrate data, how does it works behind the scenes.
[12:46.930 --> 12:56.430]  So far we know that the keyboard is tampered with an Arduino hack, which acts as a buffer for the user's input data.
[12:56.430 --> 13:05.930]  This Arduino hack is connected to an ESP8266, which provides it with network functions.
[13:05.930 --> 13:11.650]  Basically, it connects to any open Wi-Fi connection to relay the data.
[13:11.650 --> 13:28.810]  So, whenever the buffer is full or a certain time has passed, the buffer closes itself and uploads its data by issuing an HTTP post request to our server, to the command and control server.
[13:29.630 --> 13:38.030]  Then, on the server, a PHP script is listening and parsing the data and sending it to our MySQL database.
[13:39.650 --> 13:48.750]  So, you might ask yourself, what are all these 28 rows? These are sessions.
[13:48.910 --> 13:52.590]  And how do this keyboard manage sessions?
[13:52.590 --> 14:02.610]  Well, whenever the buffer reaches a certain amount of data or a certain time of inactivity passes,
[14:02.610 --> 14:10.890]  the buffer will close itself and will create what we call a session and upload it with a number.
[14:11.830 --> 14:17.910]  Whenever it is uploaded, the buffer will be cleared and then a new session is created.
[14:18.510 --> 14:22.890]  So, for example, here, let's take a deep look.
[14:23.150 --> 14:28.950]  Here we have session 11, where the user attempts to open gmail.com.
[14:28.950 --> 14:38.610]  Then, a certain time passes and the user jumped into another task, as you may see on session 12.
[14:39.050 --> 14:44.170]  He started writing anything else, a document or whatever, an email.
[14:44.510 --> 14:58.290]  Then, on session 13, the user came back to Gmail, he jumped back to Gmail sites and entered his or her credentials, his or her email and password.
[14:59.910 --> 15:06.270]  So, how much will it cost to build this kind of device? Not so much, actually.
[15:06.510 --> 15:15.170]  We have taken into account the most expensive prices available and, even though that, it is not expensive at all.
[15:15.650 --> 15:24.170]  You can have a classic keyboard for 9 or 12 dollars, an Arduino Nano for 7 to 13 dollars
[15:24.170 --> 15:32.470]  and the ESP8266, which is a very popular product, for 10 or 12 dollars.
[15:33.090 --> 15:43.530]  And let's suppose you want to have a cloud instance for your command and control server, it will cost something around 5 dollars a month.
[15:43.530 --> 15:49.950]  So, for 30 or 35 dollars you can have your hardware hacking cluster.
[15:51.590 --> 15:59.190]  Now it's time for a demo to see how the keyboard might work on our controlled environment.
[18:40.590 --> 18:45.050]  Time to jump into conclusions and questions and answers.
[18:45.990 --> 18:55.670]  You have to always be wary of any new device, whether USB or not. Anyone, and I say anyone, could be a victim.
[18:55.670 --> 19:07.890]  Let's be honest here. Would you have been able to detect this tampered keyboard in your environment, for example, if it was lying around the desks of your office?
[19:08.770 --> 19:19.090]  What makes this situation worse overall is that, with a few dollars, anyone could build or even buy a product of this type.
[19:19.090 --> 19:28.370]  Watch out for counterfeit hardware. Just some days ago, fake Cisco switches were found deployed in production environments.
[19:28.550 --> 19:32.130]  And nothing less than core switches.
[19:34.190 --> 19:48.810]  And think about it. If we were able to produce these apparatus with so few resources, it is safe to assume that an entity with greater resources could produce them on a large scale.
[19:51.090 --> 20:01.490]  So, if you want to get in touch with us at GitHub, feel free to add us at Mauro Eldridge and DC5411. Or on Twitter, you have our handlers here.
[20:01.490 --> 20:10.150]  We are always happy to talk about hardware hacking and hacking in general, so don't be shy to join.
[20:10.970 --> 20:22.650]  And we are here to answer any of your questions, so we hope you liked this talk, and we are looking forward to seeing you again next year. Thank you.
